The European Union's Cyber Resilience Act (CRA) is imposing its first binding obligations on manufacturers of connected building products within months, placing HVAC controllers, smart meters, access control systems, and building management gateways firmly in scope of the continent's most sweeping product cybersecurity law to date.
The CRA entered into force on 10 December 2024, with reporting obligations applying from 11 September 2026 and all main obligations fully enforceable from 11 December 2027. For vendors supplying the European commercial real estate and smart building market, the phased deadlines represent a tightening compliance corridor already reshaping procurement specifications, product development cycles, and conformity assessment pipelines.
Background
The CRA was formally adopted as Regulation (EU) 2024/2847, establishing what the European Commission describes as a unified legal framework for product cybersecurity across all 27 member states. Unlike the NIS2 Directive, which focuses on organisational cybersecurity, the CRA targets the security of products themselves. Rather than relying on fragmented national rules or voluntary guidelines, it enforces a single, harmonised set of obligations, shifting responsibility for security onto manufacturers and requiring that connected devices remain secure throughout their lifecycle.
The regulation aims to fill legislative gaps and ensure that products with digital components-including IoT devices-are secure throughout the supply chain and their full lifecycle. The building sector is directly exposed: smart meters, sensors, industrial control systems, smart thermostats, and connected access control devices all fall within the CRA's product scope. Products classified as "Critical"-a category that includes smart meter gateways-face the most stringent requirements, given that their failure could disrupt essential services.
This article builds on previous coverage of security-by-design practices in building automation, which examined the threat landscape driving regulatory action in this sector.
Details
Three hard dates now govern compliance planning for building IoT vendors.
On 11 June 2026, provisions on the notification of Conformity Assessment Bodies (CABs) come into application, requiring member states to designate notifying authorities. From that date, organisations must have identified and begun working with qualified third parties for product assessments.
The more immediate pressure point is 11 September 2026, when mandatory vulnerability and incident reporting obligations take effect. Manufacturers must file a 24-hour early warning and a 72-hour full notification for actively exploited vulnerabilities. This obligation applies regardless of when a product was originally shipped-if a product remains on the market and an exploitable vulnerability emerges, the manufacturer must detect and report it from 11 September 2026.
The CRA mandates a machine-readable Software Bill of Materials (SBOM), secure-by-design engineering, coordinated vulnerability disclosure, and security updates for the product's expected lifetime. Manufacturers must also define a support period during which they will manage vulnerabilities, lasting at least five years unless the expected product lifetime is shorter.
The regulation establishes a tiered risk classification with direct consequences for certification pathways. Standard products can typically be self-assessed, but "Important" or "Critical" products require third-party notified body assessments. Full compliance-including CE marking and conformity assessment-is required from 11 December 2027. Non-compliance can trigger fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.
The regulation applies regardless of where a manufacturer is headquartered. A US-based vendor selling into Germany or a Japanese IoT supplier shipping to France are both subject to the CRA.
A parallel challenge for integrators and building operators is the status of harmonised standards. The European Commission has adopted a request for 41 standards to support CRA implementation, but most are not yet ready, with the adoption deadline for the majority set for Q3/Q4 2026. In March 2026, the Commission published draft guidance for stakeholder feedback to help companies apply the CRA, clarifying how key provisions should be interpreted and implemented.
Outlook
The Commission's implementation roadmap anticipates first standardisation deliverables in Q3 2026, a delegated act on the European Cybersecurity Certification scheme's relationship with the CRA in Q4 2026, and notification of sufficient Conformity Assessment Bodies across member states by 11 December 2026. For building operators procuring connected HVAC, metering, or access control equipment, this timetable means any product placed on the EU market after 11 September 2026 must already comply with the CRA's vulnerability reporting obligations under Article 14. Compliance will demand new processes for development, supply chain management, and post-market support-a reality now driving contract renegotiations, revised procurement criteria, and accelerated SBOM adoption across European building projects.
